Skip to content

DET0457 Detection of Non-Application Layer Protocols for C2

Item Value
ID DET0457
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1095 (Non-Application Layer Protocol)

Analytics

Windows

AN1254

Anomalous use of ICMP or UDP by non-network service processes for data exfiltration or remote control, especially if traffic bypasses proxy infrastructure or shows unusual flow patterns.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Network Traffic Content (DC0085) NSM:Flow ICMP/UDP traffic (Wireshark, Suricata, Zeek)
Mutable Elements
Field Description
ProcessContextAllowList Processes normally allowed to use ICMP/UDP (e.g., ping.exe, DNS resolver).
ByteTransferAnomalyThreshold Suspicion if client sends much more data than it receives (e.g., >90%).
ProtocolUsageBaseline Baseline which protocols are normal per host or segment (ICMP, UDP, etc.).

Linux

AN1255

ICMP or raw socket traffic generated by user-mode processes like bash, Python, or nc, typically using ping, hping3, or crafted packets via libpcap or scapy.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) auditd:SYSCALL sendto/connect
Network Traffic Content (DC0085) NSM:Flow icmp.log, weird.log
Mutable Elements
Field Description
RawSocketExecutionPath Uncommon programs using raw sockets (e.g., netcat, Python, nmap).
TimeWindow Tunable window for correlating execution with network events (e.g., 2m).

macOS

AN1256

Unsigned binaries or interpreted scripts initiating non-standard protocols (ICMP, UDP, SOCKS) outside of baseline network behavior.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) macos:unifiedlog com.apple.network
Network Traffic Content (DC0085) NSM:Flow ICMP/UDP monitoring (tcpdump, Wireshark, Zeek)
Mutable Elements
Field Description
UnsignedBinaryNetworkUsage Detection threshold for unsigned or transient binaries making ICMP/UDP calls.

ESXi

AN1257

VMCI (Virtual Machine Communication Interface) traffic between guest and host, or between VMs, originating from non-management tools or unauthorized binaries.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) esxi:vmkernel VMCI syslog entries
Mutable Elements
Field Description
VMCIBackdoorProcess Monitor for non-vSphere or VMware-native processes using VMCI.
GuestToHostCommPattern Baseline pattern of guest-to-host traffic vs anomaly (unexpected port, volume).

Network Devices

AN1258

Non-standard port/protocol pairings or low-entropy ICMP traffic resembling tunneling patterns (e.g., fixed-size pings with delays).

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Firewall ICMP/UDP protocol anomaly
Network Traffic Flow (DC0078) NSM:Flow conn.log, icmp.log
Mutable Elements
Field Description
ProtocolEntropyThreshold ICMP/UDP packet content entropy filter to identify encoded payloads.
SessionDurationThreshold Long ICMP/UDP sessions beyond expected limits (e.g., >5min).